Re: [Fwknop-discuss] use of ENABLE_CMD_SUDO_EXEC

Fri, 14 Oct 2016 05:39:18 -0700 

On Thu, Oct 13, 2016 at 11:30 AM, Stephen Isard <xkyr47r...@snkmail.com>
wrote:

> Hello,
>

Hello Stephen,


>
> I don't understand what practical difference the use of
> ENABLE_CMD_SUDO_EXEC makes.  Without it, fwknopd changes uid to the
> CMD_EXEC_USER, gid to CMD__EXEC_GROUP and tries to run the given
> command.  With it, fwknopd runs, as root,
> sudo -u sudo_cmd_user -g sudo_cmd_group command
> Either way, it looks as if the command will be run if the user has
> permission to run it and otherwise not.  Perhaps there is something that
> can be done in /etc/sudoers to change this behavior, but I don't
> immediately see what it would be, and in any case it would have to
> change the permissions of root under sudo, which could have
> repercussions elsewhere.
>
> Wouldn't it be better to change the uid and gid to the exec user and
> group and then run
> sudo -n command  ?
> That way, it would only be possible to run commands that /etc/sudoers
> gives the exec user explicit permission to run without a password.
>
> For instance, the user nobody has permission to run the date command,
> but not to run "sudo date" unless /etc/sudoers has had a line inserted
> to permit it.
>

Yes, I think you are right. The goal of the feature was to allow the
capable sudoers filtering policy to apply to commands that users would run
instead of just relying on filesystem permissions. I need to double check
that '-u <user>' doesn't apply the user policy even though the invoking
user is root? If this is correct, then yes fwknopd should setuid() first.
Actually it might as well do that anyway I suppose.

Thanks,

--Mike


>
> Stephen Isard
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>



-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

Reply via email to